This article covers setting up both SAML-based single sign-on and SCIM-based user and group provisioning.
Setting up SAML-based single sign-on (SSO)
SAML-based single sign-on (SSO) gives members access to Fulcrum through an identity provider (IdP) of your choice. SSO is available on Fulcrum Enterprise accounts and can be enabled by your Account Manager.
Fulcrum’s SSO can be used with any directory management system that supports the SAML standard; we’ve also published apps with two of the most popular identity management platforms: Okta and Microsoft’s Azure Active Directory service. Each platform provides preconfigured apps that simplify provisioning within your directory.
Our SSO integration isn’t limited to these platforms, however. Other SAML-based systems that work with Fulcrum include Auth0, G Suite, Bitium, Microsoft ADFS, OneLogin, Centrify, and more.
What to Expect after Enabling SSO
Fulcrum supports a mixed environment of both managed (SSO) and unmanaged (Standard Fulcrum login) users.
Existing unmanaged members can be migrated to managed members if they are not members of any other Fulcrum Organizations.
SSO managed members can have the same email as existing Fulcrum system (unmanaged) members.
Only members with an Owner system role can add unmanaged members once SSO has been enabled.
Step 1: Configure your Identity Provider
To set up SSO for your Fulcrum organization, you'll need to create a connection between Fulcrum and your IdP. Fulcrum SSO can be configured to use any IdP that supports the SAML 2.0 specification.
Fulcrum supports Service Provider (SP) and Identity Provider (IdP) Initiated SSO.
Fulcrum supports Just In Time (JIT) user provisioning.
Fulcrum expects the following attributes in the SAML response:
roleattribute is optional and will default to Fulcrum's default role if omitted.
Step 2: Exchange Metadata
Once your IdP is configured, send your SAML metadata to your Fulcrum Account Manager. We will establish a domain for your organization, ingest your metadata and provide the appropriate metadata for your IdP.
Remote System Parameters
SAML Endpoint URL (Identity Provider URL)
SAML Identity Provider Issuer (also called IdP Entity ID) (Optional)
SAML Public X.509 Certificate
SAML Entity ID (Issuer)
SAML Single Sign On URL (Assertion Consumer Service URL) (ACS URL)
SAML Sign on URL (Shareable URL to Sign in to Fulcrum)
Step 3: Authenticate via SSO
Once SSO has been configured, you can authenticate to Fulcrum via your IdP on both the web and mobile apps. We can also optionally set a SAML timeout value to force authentication at a preset interval.
Be sure to review your Role settings to ensure the Default role is set as you expect before adding your SSO users.
When converting an unmanaged user to a managed user, users logged into the mobile app will be forced to re-authenticate when they next sync the app. The user will no longer be able to sign in using a password, and is signed out and will need to re-authenticate via SSO.
An organization can consist entirely of SSO managed members. Organizations must have at least one member and at least one Owner role.
Fulcrum requires the
nameid and the email list in the IdP to match.
Setting up SCIM-based user and group provisioning
Fulcrum supports user and group provisioning with the System for Cross-domain Identity Management (SCIM) standard. SCIM provisioning allows you to provision and deprovision Fulcrum users and groups efficiently through your identity provider (IdP).
Step 1: Get the API Token
In Fulcrum, generate and copy the API token.
Step 2: Enter the API Token in your identity management platform
Okta SCIM Guide
Note: Fulcrum SCIM integration with Azure is currently under review and you will not see it on the Azure site yet. SCIM-based user provisioning can currently be manually configured to work between Azure and Fulcrum.
The API tokens are bound to the user that created them. If the user or API key needs to be removed, the user provisioning SCIM integration needs to be updated.